Date: Tue, 6 Jul 2010 09:16:55 -0600 From: dann frazier <dannf@...nf.org> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org Subject: CVE Request: kernel: hvc_console: Fix race between hvc_close and hvc_remove [cc'ing coley@...us.mitre.org] On Wed, Jun 30, 2010 at 11:06:41PM -0600, dann frazier wrote: > On Sat, Apr 17, 2010 at 11:26:46PM -0400, Michael Gilbert wrote: > > On Sat, 17 Apr 2010 18:15:42 -0400 Michael Gilbert wrote: > > > > > On Thu, 04 Mar 2010 17:03:58 +0800 Eugene Teo wrote: > > > > > > > Heads-up. You might want to backport this if your kernel is affected. We > > > > are not requesting a CVE name for this as it does not affect any of our > > > > Red Hat supported kernels. > > > > > > are you sure about this? i see the vulnerable code upstream in both > > > 2.6.26 and 2.6.32. does redhat not ship hvc in their kernels? i think > > > this should get a cve id because the more vanilla distros will have > > > shipped with this included. > > > > i see that hvc_console is disabled by default in the debian kernels, > > Actually, upon review, I see that it is enabled (see the powerpc64 > image). Therefore, I'd like to request a CVE ID for it. > > > and i assume it is the same for the redhat kernels. > > > > are issues in features that are disabled by default generally treated > > as unimportant? there are bound to be a (perhaps small) subset of users > > turning these features on; exposing themselves to more risk if these > > issues go unfixed. i suppose cve assignment depends on whether or not > > there is an expectation to protect those users in addition to > > defaults-using users. > > > > mike > > > -- dann frazier
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ